openstack/deb-python-pysaml2
Code Issues Proposed changes

Improved encryption to use metadata.

Browse Source
This commit is contained in:
Hans
2015-05-18 16:09:16 +02:00
parent 4162bdd50c
commit a7ed34c28c
3 changed files with 27 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
src/saml2/entity.py
View File

@@ -501,16 +501,31 @@ class Entity(HTTPBase):
else: else:
msg.extension_elements = extensions msg.extension_elements = extensions
def fix_cert_str(self, tmp_cert_str): def _encrypt_assertion(self, encrypt_cert, sp_entity_id, response, node_xpath=None):
tmp_cert_str = "%s" % self.sec.my_cert _certs = []
tmp_cert_str = tmp_cert_str.replace("-----BEGIN CERTIFICATE-----\n", "") cbxs = CryptoBackendXmlSec1(self.config.xmlsec_binary)
tmp_cert_str = tmp_cert_str.replace("\n-----END CERTIFICATE-----\n", "") if encrypt_cert:
return tmp_cert_str _certs = []
_certs.append(encrypt_cert)
elif sp_entity_id is not None:
_certs = self.metadata.certs(sp_entity_id, "any", "encrypt")
exception = None
for _cert in _certs:
try:
_, cert_file = make_temp(_cert, decode=False)
response = cbxs.encrypt_assertion(response, self.sec.cert_file,
pre_encryption_part(), node_xpath=node_xpath)
return response
except Exception as ex:
exception = ex
pass
if exception:
raise exception
def _response(self, in_response_to, consumer_url=None, status=None, def _response(self, in_response_to, consumer_url=None, status=None,
issuer=None, sign=False, to_sign=None, issuer=None, sign=False, to_sign=None, sp_entity_id=None,
encrypt_assertion=False, encrypt_assertion_self_contained=False, encrypted_advice_attributes=False, encrypt_assertion=False, encrypt_assertion_self_contained=False, encrypted_advice_attributes=False,
encrypt_cert=None,sign_assertion=None, **kwargs): encrypt_cert=None, encrypt_cert_assertion=None,sign_assertion=None, **kwargs):
""" Create a Response. """ Create a Response.
Encryption: Encryption:
encrypt_assertion must be true for encryption to be performed. If encrypted_advice_attributes also is encrypt_assertion must be true for encryption to be performed. If encrypted_advice_attributes also is
@@ -530,6 +545,7 @@ class Entity(HTTPBase):
:return: A Response instance :return: A Response instance
""" """
if not status: if not status:
status = success_status_factory() status = success_status_factory()
@@ -582,16 +598,11 @@ class Entity(HTTPBase):
if to_sign_advice: if to_sign_advice:
response = signed_instance_factory(response, self.sec, to_sign_advice) response = signed_instance_factory(response, self.sec, to_sign_advice)
tmp_cert_str = self.fix_cert_str("%s" % encrypt_cert) response = self._encrypt_assertion(encrypt_cert, sp_entity_id, response, node_xpath=node_xpath)
_, cert_file = make_temp("%s" % encrypt_cert, decode=False)
response = cbxs.encrypt_assertion(response, cert_file,
pre_encryption_part(), node_xpath=node_xpath)
encrypt_advice = True
if encrypt_assertion: if encrypt_assertion:
response = response_from_string(response) response = response_from_string(response)
if encrypt_assertion: if encrypt_assertion:
if encrypt_assertion_self_contained: if encrypt_assertion_self_contained:
assertion_tag = None
try: try:
assertion_tag = response.assertion._to_element_tree().tag assertion_tag = response.assertion._to_element_tree().tag
except: except:
@@ -607,15 +618,7 @@ class Entity(HTTPBase):
to_sign_assertion.append((class_name(response.assertion), response.assertion.id)) to_sign_assertion.append((class_name(response.assertion), response.assertion.id))
if to_sign_assertion: if to_sign_assertion:
response = signed_instance_factory(response, self.sec, to_sign_assertion) response = signed_instance_factory(response, self.sec, to_sign_assertion)
if encrypt_cert is not None and not encrypt_advice: response = self._encrypt_assertion(encrypt_cert_assertion, sp_entity_id, response)
_, cert_file = make_temp("%s" % encrypt_cert, decode=False)
else:
tmp_cert_str = self.fix_cert_str("%s" % self.sec.my_cert)
_, cert_file = make_temp(tmp_cert_str, decode=False)
response = cbxs.encrypt_assertion(response, cert_file,
pre_encryption_part())
# template(response.assertion.id))
if sign: if sign:
return signed_instance_factory(response, self.sec, sign_class) return signed_instance_factory(response, self.sec, sign_class)
else: else:

2
src/saml2/server.py
View File

@@ -399,7 +399,7 @@ class Server(Entity):
self.session_db.store_assertion(assertion, to_sign) self.session_db.store_assertion(assertion, to_sign)
return self._response(in_response_to, consumer_url, status, issuer, return self._response(in_response_to, consumer_url, status, issuer,
sign_response, to_sign, encrypt_assertion=encrypt_assertion, sign_response, to_sign,sp_entity_id=sp_entity_id, encrypt_assertion=encrypt_assertion,
encrypt_cert=encrypt_cert, encrypt_cert=encrypt_cert,
encrypt_assertion_self_contained=encrypt_assertion_self_contained, encrypt_assertion_self_contained=encrypt_assertion_self_contained,
encrypted_advice_attributes=encrypted_advice_attributes,sign_assertion=sign_assertion, encrypted_advice_attributes=encrypted_advice_attributes,sign_assertion=sign_assertion,

2
tests/test_50_server.py
View File

@@ -678,7 +678,7 @@ class TestServer1():
name_id=name_id, name_id=name_id,
sign_response=False, sign_response=False,
sign_assertion=False, sign_assertion=False,
encrypt_assertion=True, encrypt_assertion=False,
encrypt_assertion_self_contained=True, encrypt_assertion_self_contained=True,
encrypted_advice_attributes=True, encrypted_advice_attributes=True,
encrypt_cert=cert_str, encrypt_cert=cert_str,